As one way to speed up its adoption of commercial cloud computing, the Navy has decided to diffuse more authority and responsibility to various commands throughout its organization. But that doesn’t mean industry should expect to see a rapid flowering of new contract vehicles for the purchase of new cloud services.
Rather, for the sake of standardization and to avoid contract duplication, the Navy expects the overwhelming majority of the service’s cloud spending to be funneled through a large Navy enterprise cloud contract that’s expected to be in place by June. The contract is likely to be awarded to multiple vendors offering a variety of types of cloud services.
“I think people will find that the enterprise contract will have probably 95 percent of what they need,” Rear Adm. Danelle Barrett, the Navy’s chief information officer told Federal News Radio. “Exceptions to that — not using the enterprise contract — would be very limited exceptions to the rule. If you are going to deviate off the enterprise contract, you have to come and tell us why, and we have to agree. You really have to show us why what’s on the enterprise contract doesn’t meet your requirements.”
In a wide-ranging interview on the Navy’s current cloud strategy, Barrett’s comments shed additional light on how the service intends to move forward with a plan it ordered in December to decentralize its “cloud broker” functions to eight separate commands representing various functional communities, just two years after it had decided to consolidate those responsibilities within the Program Executive Office for Enterprise Information Systems (PEO-EIS).
The new brokers —each of the Navy’s systems commands, plus Navy Installations Command, Military Sealift Command and the office of Strategic Systems Programs — will be permitted to set up their own cloud contracts when they have mission-unique demands that aren’t satisfied by the enterprise contract. But that won’t be their primary role.
“A lot of what they have to do is get their applications ready for migrating to the cloud,” Barrett said. “It’s going to be things like making sure that their people adhering to the configuration that their applications are supposed to have in the cloud, keeping metrics on how the information in that environment is behaving. They’re going to have to make sure that their baseline configuration is maintained and things like that. So there’s oversight responsibilities of how all those applications behave in the cloud, and that’s almost too much for one organization — PEO-EIS — to handle. It’s best to have the folks that are the functional area managers of those applications managing the execution of the contract on their behalf.”
Meanwhile, the new policy gives higher-level Navy officials the responsibility to ensure consistency in service’s cloud migrations and prevent stovepiped approaches.
Barrett will serve as the Navy’s “enterprise cloud broker,” with PEO-EIS handling much of the day-to-day governance and acquisition work as her executive agent.
“PEO-EIS will do things like delivery of the enterprise commercial cloud contract itself and enforcing all the policy and governance rules with those cloud brokers that we’ve identified,” she said. “They would also onboard any new enterprise commercial cloud services that come along after the contract, because we anticipate that vendors will continue to add great capability that we’re going to want to leverage either from a cybersecurity perspective or from a data analytics perspective. They’ll also arrange for training, especially the application owners: how to migrate their apps, get them cloud ready, how to secure them in the cloud. Because a lot of the intrusions we’ve seen so far are because of the cloud provider’s infrastructure itself, it’s with the improperly configured third party application that’s in that portion of the cloud.”
The new brokerage policy also involves the creation of a Navy Cloud Executive Steering Group, a moniker that mirrors the DoD-level CESG Deputy Defense Secretary Patrick Shanahan stood up last September.
The Navy version of the oversight body will include representation by Fleet Cyber Command, which is still in the process of writing a concept of operations for how it will command and control Navy systems and data once they’re hosted in off-site commercial environments. Fleet Cyber Command will also serve as the Navy’s “authorizing official” for cloud platforms.
The restructuring of roles and responsibilities is happening in the context of a “cloud first” policy that Barrett’s predecessor, Janice Haith, signed just over a year ago.
Despite limited progress in the actual migration of applications since then, the policy remains in full force, Barrett said, and the Navy still wants to move most of its applications to commercial cloud environments to the maximum extent possible, including those that handle secret-level data.
“But it’s going to be a ‘do no harm’ approach,” she said. “There may be information where we say, ‘OK, even though I could move it to the cloud, I don’t have a good track record on commercial cloud yet.’ They haven’t been out there for 30 years doing this in way that we can say they’ve got an impeccable track record of getting it right. So we do have a little bit of deliberateness in this process. Maybe we don’t move nuclear command and control control data, for example, or ballistic missile defense data. Maybe there’s certain things where we say, OK, let’s see how it goes with these other applications first and see if everything goes well. Once we have the confidence that we can still command and control our information once it’s in the cloud, then we may move those last few sensitive applications. But those decisions will be made based on the nature of the data, the application owner, the information owner and the mission.”